Configuring Delegation for Clients

Impala supports user and group delegation for client connections.

When users submit Impala queries through a separate application, such as Hue or a business intelligence tool, typically all requests are treated as coming from the same user. Impala supports delegation where users whose names you specify can delegate the execution of a query to another user. The query runs with the privileges of the delegated user, not the original authenticated user.

You also have an option to delegate using groups. Instead of listing a large number of delegated users, you can create a group of those users and specify the delegated group name in the Impalad startup option. The client sends the delegated user name, and Impala performs an authorization to see if the delegated user belongs to a delegated group.

The name of the delegated user is passed using the HiveServer2 protocol configuration property impala.doas.user when the client connects to Impala.

When the client connects over HTTP, the doAs parameter can be specified in the HTTP path. For example:

/?doAs=delegated_user

Currently, the delegation feature is available only for Impala queries submitted through application interfaces such as Hue and BI tools. For example, Impala cannot issue queries using the privileges of the HDFS user.

To enable delegation:

In Cloudera Manager, navigate to Clusters > Impala.
In the Configuration tab, click Impala-1 (Service-Wide) in the Scope and click Security in the Category.
In the Proxy User Configuration field, type the a semicolon-separated list of key=value pairs of authorized proxy users to the user(s) they can impersonate.
The list of delegated users are delimited with a comma, e.g. hue=user1, user2.
In the Proxy Group Configuration field, type the a semicolon-separated list of key=value pairs of authorized proxy users to the group(s) they can impersonate.
The list of delegated groups are delimited with a comma, e.g. hue=group1, group2.
Click Save Changes and restart the Impala service.